Security object creation, validation, and assertion for single sign on authentication

ABSTRACT

A security object creation and validation system provides an additional factor of authentication. An authentication system as described herein provides secure two-factor authentication, such as for IT resources in an organization. The authentication system can perform generation of a security object (such as an X.509 object, Java object, persistent browser token, or other digital certificate); registration of the generated security object or of an existing security object (such as a near field communication identifier, smart card identifier, OATH token, etc.); validation of the security object as part of an authentication process; and assertion of the identity of the security object to native network resources (such as web resources, network resources, cloud resources, mobile applications, and the like) that may accept the security object. The authentication system may provide user interfaces to allow users and administrators to manage registered device inventory and revoke security objects.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 14/631,543, entitled “SECURITY OBJECT CREATION, VALIDATION, AND ASSERTION FOR SINGLE SIGN ON AUTHENTICATION” and filed on Feb. 25, 2015, which claims the benefit of U.S. Provisional Application No. 61/944,991, entitled “A security object creation and validation system and method that includes identity conversion and assertion for mobile” and filed on Feb. 26, 2014, the disclosures of which are hereby incorporated by reference herein in their entireties.

TECHNICAL FIELD

The present disclosure relates to systems and techniques for authentication. More specifically, the disclosure relates to providing multifactor authentication and single-sign-on for users and their devices based on device security object creation and validation.

BACKGROUND

Single factors of authentication by themselves can have security issues. For example, if a hacker acquires a user's password, then the hacker may be able to gain access to other network resources for which the user has registered the same password for authentication. Therefore, to increase security, many enterprise applications, cloud applications, mobile applications, and other networked resources require more than one factor of authentication. For example, in addition to a username and password, a network resource may require the user to authenticate with a second factor of authentication, such as a one-time password, a digital signature based on a certificate, etc.

When two or more factors of authentication are required, a hacker has more difficulty acquiring all of the information necessary to access a user's network resources. However, multi-factor authentication can be more burdensome for users.

SUMMARY

In one embodiment, a system for providing single-sign-on (SSO) credentials for a user on a mobile device to multiple network resources comprises: one or more hardware processors; a computer-readable memory; and an authentication system comprising executable instructions stored in the computer-readable memory, wherein the one or more processors are programmed to at least: receive, over a network, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, and wherein the request includes a security object associated with the mobile device; validate the security object as authentic by: determining, from the security object, a security object identifier; and determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization; when a determination is made that the security object identifier is associated with the mobile device and the user in the identity database, authenticate the user and the mobile device by: receiving a second authentication factor from the mobile device; validating the second authentication factor by comparing the second authentication factor with user data associated with the user, the user data accessed from the identity database; when a successful authentication of the mobile device and the user is made, determine an identity assertion format acceptable to the first network resource; create an identity assertion object related to the user in the determined identify assertion format, the identity assertion object being distinct from the security object and the object identifier; and provide, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource.

In one embodiment, a computerized method for providing single-sign-on (SSO) credentials for a user on a mobile device to multiple network resources comprises: by an authentication system comprising computer hardware and memory, the authentication system configured with specific executable instructions: receiving, over a network, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, and wherein the request includes a security object associated with the mobile device; validating the security object as authentic by: determining, from the security object, a security object identifier; and determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization; when a determination is made that the security object identifier is associated with the mobile device and the user in the identity database, authenticating the user and the mobile device by: receiving a second authentication factor from the mobile device; validating the second authentication factor by comparing the second authentication factor with user data associated with the user, the user data accessed from the identity database; when a successful authentication of the mobile device and the user is made, determining an identity assertion format acceptable to the first network resource; creating an identity assertion object related to the user in the determined identify assertion format, the identity assertion object being distinct from the security object and the object identifier; and providing, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource.

In one embodiment, non-transitory physical computer storage comprises computer-executable instructions stored thereon that, when executed by a hardware processor, are configured to perform operations comprising: receiving, by an authentication system, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, and wherein the request includes a security object associated with the mobile device; validating the security object as authentic by: determining, from the security object, a security object identifier; determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization; when a determination is made that the security object identifier is associated with the mobile device and the user in the identity database, authenticating the user and the mobile device; when a successful authentication of the mobile device and the user is made, determining an identity assertion format acceptable to the first network resource; creating an identity assertion object related to the user in the determined identify assertion format, the identity assertion object being distinct from the security object and the object identifier; and providing, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource.

BRIEF DESCRIPTION OF DRAWINGS

Throughout the drawings, reference numbers may be re-used to indicate correspondence between referenced elements. The drawings are provided to illustrate example embodiments described herein and are not intended to limit the scope of the disclosure.

FIG. 1 is a block diagram of illustrative network(s) including multiple user computing devices, multiple services and servers, and authentication mechanisms, as described in some embodiments.

FIG. 2 is a block diagram of illustrative processes, communications and data flows between a user computing device and an authentication system for security object creation and registration, as described in some embodiments.

FIG. 3 is a block diagram of illustrative processes, communications and data flows between a user computing device and an authentication system for validation of a security object, as described in some embodiments.

FIG. 4 is a block diagram of illustrative processes, communications and data flows between a user computing device and an authentication system, implementing a cloud service, for validation or registration of a security object, as described in some embodiments.

FIG. 5 is a flow diagram of illustrative processes, communications and data flows between a user computing device, an enterprise app/web server and an authentication system to register and/or validate a security object for the user computing device, as described in some embodiments.

FIG. 6 is an illustrative, web-based user interface of a security object management and/or revocation interface, as described in some embodiments.

FIG. 7A is an illustrative, web-based user interface of a security object management and/or revocation interface, as described in some embodiments.

FIG. 7B is an illustrative web-based user interface of a security object management and/or revocation interface, as described in some embodiments.

FIG. 8A is a flow diagram of an illustrative process for an authentication system to allow a user to manage or revoke their security objects associated with devices, as described in some embodiments.

FIG. 8B is a flow diagram of an illustrative process for an authentication system to allow an administrator to manage or revoke security objects associated with devices, as described in some embodiments.

FIG. 9 illustrates a network environment and computer systems and devices with which various methods and systems discussed herein may be implemented, according to various embodiments of the present disclosure.

DETAILED DESCRIPTION OF SPECIFIC EMBODIMENTS Security Object Creation and Validation as an Additional Factor of Authentication

The present disclosure is directed to providing single sign-on, multiple factor authentication for user computing devices and their users. Specifically, the disclosure relates to a single sign-on process in which browsers, mobile applications, etc., may initially register a user device security object using an additional factor of authentication that may require user interaction (such as a one-time password or knowledge based authentication). This security object, which is stored in association with a particular device or user, may then be used as an additional authentication factor in the future in lieu of, or in conjunction with, additional authentication factors that require user interaction.

For example, in some embodiments, a user may initially browse to an enterprise's web resource, app resource, or other network resource. For instance, the user may point his web browser to an enterprise's web-based portal to access a web-based email system on an enterprise's web server. The enterprise's web server may authenticate the user, using a username and password, and check the username and password credentials against the enterprise's directory.

After the user initially authenticates to the enterprise's web server with a username and password (i.e. a first authentication factor), the web server may redirect the user's browser running on the user computing device to a cloud based or other system that will require an additional authentication factor. Successful authentication with this additional authentication factor may be required prior to the user accessing the web-based email service. This redirect may be performed using standard W3C methods, and may include, in the redirect, user ID and other contact information such as an email address or mobile phone number.

The authentication system may then use this user ID, email address, and/or mobile phone number to register the user computing device the user is currently using. For example, the authentication system may now further authenticate the user using the contact information, such as by sending to the email address a generated one-time password or link, or by Short Message Service (“SMS”) texting to the mobile phone the generated password one-time password, PUSH notification, etc. The user may then, by clicking on the link in his email, or typing in the one-time password via the authentication system's web interface, send the one-time password to the authentication system. At this point, the one-time password sent by the user can be compared to the one generated by the authentication system.

In one embodiment, as part of the initial user authentication process, an administrator and/or the authentication system may be able to optionally inject an extra layer of risk-based analysis, to inspect one or more elements such as the IP address acceptance range, an IP address risk attribute, and/or a geo-velocity (e.g., the distance and time between a last login and a current login). All the returned attributes can then be taken into consideration for a potential of stopping the user from logging in, or to step-up the user authentication process to further challenge the user, including for example more options of one-time password delivery via out of band mechanisms.

Once the user is initially authenticated, the authentication system may then create a security object to be associated with the device and/or the user. The security object may, for example, comprise a token or other persistent data object which may be created in various formats such as an X.509 object (e.g., an X.508 soft ID, an X.509 smart card), a Java object, a Persistent Browser token, or other type of security object or digital certificate. The security object may include an identifier or ID which may be mapped to a local identity store which stores associations of security objects/IDS, devices, and users. The security object associated with the device is then stored in the authentication system's storage in association with the user ID. The user device may then receive an authentication token provided by the authentication system, such as a cookie or redirect URL parameter (in plain text or encrypted), that may be returned to the enterprise's web service indicating that the user device performed the additional authentication factor. The security object or security ID may also be provided to the user device to be stored and associated locally for future use in authentication processes.

In some embodiments, an existing security object may also be registered and associated with the user and/or the user device. For example, existing security objects or tokens may include but are not limited to: existing smart cards identifiers, near field communication (“NFC”) object identifiers, Bluetooth object identifiers, OATH tokens (software-based), OATH tokens (hardware-based), and device characteristic/info provided from the user device, including: a serial number, a Unique Device Identifier (“UDID”) as used in the iOS operating system, an advertiser ID, and/or a device fingerprint which may be a hash or other amalgamation of information (such as device characteristics).

In some embodiments, the system may send a device characteristic capture script to the user's device to capture information about the device, such as HTTP header information, identifiers of browser plug-ins, networking addresses, screen size and/or resolution, HTML5 session storage information, Internet Explorer User Data Support information, Browser Cookie enable/disable settings, a time zone, and/or other information. After gathering this information, the capture script may instruct the user's device to send this information back to the authentication system. The device fingerprint may be based on some or all of the received device characteristics, and may comprise or be based at least in part on a hash value (such as by using MD5, SHA-1, SHA-256, SHA-3, HAVAL, and/or another hash algorithm) generated over all of the received device characteristics. The device characteristics and/or fingerprint may also be stored in the authentication system's storage in association with the user ID.

These device characteristics specifics could include, for example characteristics such as HTTP header information, including, but not limited to, one or more of any of an HTTP user-agent(s) header, the HTTP accept header, the HTTP accept-charset header, the HTTP accept-encoding header, the HTTP accept-language header, etc. The characteristics may also include a browser plugin list this may include both the names of each plugin, the versions of each plugin, and/or how they are installed. The characteristics may also include a list of fonts that the browser has installed such as browser flash fonts. The characteristics may also include device IP address and/or network card address (such as MAC address). Other operating system settings such as device screen resolution on one or more display screens or any data stored in HTML5 local storage, or HTML5 session storage. The characteristics may also include Internet explorer user data support information, or values stored therein, or browser cookie data such as enabling or disabling the browser cookie setting, or any cookie stored by the browser. It may also include the user's time zone or OS language that is installed on the operating system, among other characteristics.

Once the user is initially authenticated and the existing security object is registered, an identifier associated with the security object and/or the user device may be associated with the user and stored, similar to how a security object created by the authentication system may be stored and associated as described herein.

In the future, when the user and his/her user device attempt to access the same enterprise web server (or a different enterprise web/app server), the web server may then redirect the user's device, after the user has authenticated with a username/password, to the authentication system, transferring the security object or ID. For example, in one instance, the user may be directed to provide the security object or ID, either automatically in a background process (e.g., as a soft X.509 authentication) or by manually performing an action (e.g., the user must insert an NFC proxy card, a smart card, or present the user device itself as part of an NFC communication). As further described herein, multiple security objects and/or user devices may be “inventoried” and associated with a user. The authentication system may then look up the user's associated stored device security objects by the received user ID. If that security object matches any of the stored security objects, the device is considered to have authenticated with an additional factor of authentication without any input required from the user (e.g. no one-time password interaction required, etc.). The user device may then again receive an authentication token, such as a cookie or redirect URL parameter (in plain text or encrypted), that may be returned to the enterprise's web service indicating that the user device performed the additional authentication factor.

In one embodiment, the authentication processes described herein may involve converting a security object or token to a form that may be accepted by a relying entity or enterprise, if required. For example, the relying entity may not be enabled to accept or process the authentication security object. For example, the user may have registered a NFC object or a mobile device to his user account, and then authenticated with the authentication system. The authentication system would then be able to assert this object to a relying entity, including for example: a web server (e.g., SharePoint, J2EE web server, Apache/Tomcat, etc.); a cloud service (e.g., Google Apps, Microsoft Office 365, Salesforce, etc.); a network resource (e.g., Juniper VPN, Cisco ASA VPN, F5 BigIP network proxy, etc.); and/or mobile apps (e.g., apps for Android, IOS, Windows, browser apps/extensions, etc.).

In this example embodiment, the relying entity, for example a SharePoint server, may not to accept the registered authentication token (e.g., NFC Proxy Card, Smart Card, X.509 cert, etc.). Instead, the authentication server/service may conduct the security object authentication, and then assert an appropriate SSO token (web or other) to the relying entity. For example, the SSO token could be in the form of a SAML, WS-Fed, OpenID, URL GUID, or some other accepted/predetermined object. The SSO token may be configured on a per resource basis, and may be different for each relying entity. For example, a mapping of resources to relying entities may be stored or readily accessible in a directory by the authentication system.

In various embodiments described herein, the security object created on the fly for each device may be compared to past stored security objects on a per user basis. This “security object” comparison may be considered an additional factor of authentication going forward, and may be used in lieu of (or in addition to) a user-interaction based, or certificate based, additional factor of authentication.

Network and System Overview

FIG. 1 illustrates an example network and its connected system(s)/devices that may perform the methods described herein. Network 101, which could be the Internet or any wide area network or local area network, may connect user computing devices 110 a, 110 b, 110 c, 110 d, which are illustrated here as examples of a variety of user computing devices (often referred to as user computing device 110 or user device 110 as representing one of these types of devices). These types of devices may access authentication system 102 for authentication. For example, desktop 110 a may comprise an Internet browser (such as a web browser—Chrome, Safari, Internet Explorer, Firefox, etc.), an operating system, (such as Windows 7/8, OS X, Linux, Android, IOS, etc.), as software, and may also comprise hardware processors and memory and I/O devices. The hardware processor(s) may execute program instructions that are stored in memory and/or other data storage such as a hard drive or solid state disk. Other I/O devices may include a display, a network connectivity device, such as a network card (e.g. Ethernet card, 802.11a/b/g/n, etc.), that may send and receive packets. Such packets may be IP packets that are transmittable over the Internet, such as Internet 101. Other I/O devices may be a keyboard and mouse that allow for user input, and a display that allows for information to be displayed by the computer as dictated by the computer programs.

Similarly, laptop 110 b, smartphone 110 c, tablet 110 d, or any kind of user computing device may have a similar browser, operating system, and hardware that may execute programmatic instructions such as one or more processors and memory and other storage devices to store those instructions. They may also have similar I/O devices such as displays, keyboards or mice, touchscreens allowing for touch input interfaces, or network cards.

These user devices may individually or collectively communicate with a number of other computing devices connected to the Internet. For example, they may communicate with any of the devices that are within network 120. Network 120 in this example illustrates a simple enterprise network that may consist of a gateway router 115 that may act as a border router at an ingress or egress point to network 120. Network 120 may also comprise an authentication system or system 102 which, like desktop 110 a, may also comprise one or more hardware processors, memory and storage devices that may store programmatic instructions executable by the hardware processors to carry out methods described herein. The authentication system 102 (or “authentication server” or “authentication service”) may be implemented by one or more distinct authentication systems.

Authentication system 102 may also generate and provide one or more user interfaces, including the example user interfaces illustrated and described with reference to FIGS. 6, 7A, and 7B herein. Such user interfaces may be displayed over the web and may be interactive with a display located over the network such as the display on user computing device 110. Such a network/web user interface may include one or more web pages, or one or more web page plugins that can collect information in a web-based form. This information may then be sent by the browser back to the authentication system for processing. These user interfaces may be used to, for example, configure authentication system 102 and/or for authentication or authorization of user computing devices 110 a, 110 b, 110 c, 110 d or any user of those user computing devices. For example, as described herein, user computing device 110 may contact over the web authentication system 102 to provide one or more pieces of information used for authentication, and vice versa.

For example, authentication system 102 may send to desktop 110 a a webpage where a user may enter information into an input form field. In some embodiments, this information may be a device selection indicating revocation, and may revoke a device from the list of registered security objects and devices associated with a user ID. Similarly, over the web, desktop 110 a may send to authentication system 102 information from a redirect request, information containing a one-time password, information about a security object associated with the device, or information in response to any request from authentication system 102. This list is exemplary and is not meant to be limiting. It is only an example of how web-based messages may be transmitted from user computing device 110 to authentication system 102 and vice versa. These communications usually traverse the Internet 101 over the Internet's IP network, or any other any wide area network (usually traversing multiple local area networks), and typically enter enterprise network 120 through gateway router 115 to be routed to authentication system 102. Alternatively, a local area network may be the only network the traffic traverses. The various web user interfaces and web programs described herein may be implemented via software modules on authentication systems, such as software modules 107. These software modules may be executed by hardware processors and stored as instructions on data storage devices such as enterprise directory 104, or any other local data storage device or remote data storage device that is associated with authentication system 102. Such instructions from the software modules may be executed by authentication system 102's one or more hardware processors to implement the system and methods herein.

Enterprise network 120 may comprise a gateway router 115, authentication system 102, webserver 103 a, app server 103 n, and enterprise directory 104. Enterprise network 120 may also comprise enterprise directory 104. This enterprise directory may comprise, for example, an LDAP, SQL, Kerberos, or active directory server that stores information about users associated with enterprise network 120, which in some examples may belongs to a business or organization. The enterprise directory 104 may store information such as user IDs, user passwords, device IDs affiliated with user IDs, addressing information such as city, state, and street address, phone numbers such as mobile and textable (SMS) phone numbers or landline phone numbers, company IDs or email addresses or any other information, characteristic, or attribute associated with the users of the user devices. Enterprise directory 104 may also be used to store authentication or authorization information of the users of the user devices 110 s.

Web server 103 a may be a network or web service that may be desired to be accessed by of user devices 110. The web server, like normal web servers, may communicate via HTTP over the World Wide Web with user devices and may communicate over, for example, secure HTTP/TLS/SSL, such as HTTPS. Similarly, authentication system 102 may also communicate via HTTP or via HTTPS with user devices 110. For example, if a user of user device 110 desires to access an application provided by the organization affiliated with network 120, web server 103 a may send information to the device's browser in order to serve that application to user device 110. In one example, the application may be running on app server 103 n, which may be configured to communicate over FTP, Telnet, or any other specific type of communication protocol or application service that is outside of HTTP or other World Wide Web protocols. In this way, app server 103 n or web server 103 a might provide a variety of network services. When a specific network service is required, such as the application provided by web server 103 a, authentication of the user and/or the user device 110 a may be required before providing that network service or upon access of specific resources where authentication is required. Such authentication may be provided by authentication system 102.

In particular, when an application or any other resource provided by any app server or web server within an organization's network is required, then authentication by the authentication system may take place. In addition, authentication system 102 may provide more than simple authentication mechanisms. For example, authentication system 102 may provide multifactor authentication where more than one factor of authentication is required in order to prove that the user is who they claim to be and be authorized to access, for example, web server 103 a or any application running on app server 103 n. As detailed herein, web server 103 a or app server 103 n may redirect requests coming from user devices 110 to authentication system 102 for authentication and/or for authentication of an additional factor.

For example, web server 103 a may itself require desktop 110 a and the user of desktop 110 a to be authenticated. For example, the user may log in via the web application running on web server 103 a using the username and password affiliated with the enterprise directory 104 (or a username/password local to the web server). Once this username and password is authenticated, web server 103 a may require additional authentication and may redirect the web request to the authentication system for the additional authentication using an additional factor. Such additional factors may, for example, be a one-time password (OTP), a security object, a certificate based mechanism (e.g. a cryptographic private key signature), among other additional factors. These additional factors may also include any knowledge-based questions and answers type factors, for example, “what is the name of your first pet?”, where the answer is configurable by the user.

FIG. 1 illustrates a solution for a web browser to facilitate device registration, validation and revocation for the purpose of secure two-factor authentication for IT resources, such as any enterprise web applications running on a web server 103 a and any network resources running on an app server 103 n. In this disclosure, any reference to communications or interactions with a web server 103 a may alternatively be implemented in non-web based protocols for other types of non-web network resources (e.g., email, such as applications as deployed on enterprise app server 103 n).

The entire process for such additional two-factor authentication may be manageable and configurable by an administrative console, such as configuration web pages hosted by the authentication system 102. The entire process may be logged and such logs may be viewable on authentication system 102 either through the web or through a local display. As another example, registered device security objects may be managed and revoked by users and administrators via web configuration pages implemented on authentication system 102. In some embodiments, such user interfaces for configuration and viewing of current authentications may be implemented separately from the authentication system on devices that may access web information coming from authentication system 102, such as any user computing device (e.g. via the web, or via a custom mobile app).

The system described in FIG. 1 may also have the ability to extract distinct device information from a device utilizing web browser and web-based mechanisms such as Javascript. Other mechanisms may be used to extract distinct device information such as flash programs, cookies, custom downloaded and installed programs (that are downloaded and installed through the web from the authentication system for example), or any other mechanism or instructions that may be transmitted from the authentication system to the user device 110 for collection of characteristic information about the user device, a security object installed on or associated with the user device, a browser installed on the device, other software installed on the device (e.g. OS or other applications), or its user. This characteristic information may be transferred to and stored on the authentication system or any external remote data storage, for example on enterprise directory 104 or any cloud storage.

The authentication system can then use and store this information in the enterprise directory 104, in its local storage, or in the cloud. As discussed herein, some or all of this information may be used to create a security object for future comparison to other security objects. In one embodiment, a one-time native mobile app such as an iPhone app, if deployed through the web to an iPhone device, may be utilized to collect and send identification information, including security object information or device characteristics, from a device. This may be advantageous to use a program outside of a standard web browser to obtain additional device information such as characteristics of an iPhone device that are inaccessible by the browser. This security object and other characteristic information may then be associated in enterprise directory 104, in the authentication system 102, or in the cloud, with user information such as a user ID. This creates a mapping of the user to his/her security objects, and a mapping of a security object to a particular user that may be referenced by the authentication system 102. In some embodiments, the characteristic information of the device may be stored as collected in association with the user ID/user information and used to create a security object to assist in additional analysis.

The security object and the user ID may then be used to validate the association of the user to a specific user device such as user computing device 110 during a subsequent authentication. In this way, the authentication system 102 may use the security object as the additional factor in authentication (or in lieu of other additional factors described herein). Once the association is stored, the user's device may be considered a registered device. Once a user has registered one or more devices, the user interface on the authentication system may be used to manage the user devices and their security objects and characteristics that are associated with a specific user. For example, a user could delete one specific device and its security object to remove that device as registered in association with the user ID. Such a deletion may prevent the device from being used in association with that user unless the user once again registers the device and a new security object is created by the authentication system 102. Thus, by removing a security object associated with the user which is stored on the authentication system or other data storage, the association of the device to the user may be revoked, which may affect the additional authentication factors available to that user. Such deletion may be performed, either by an administrator or by the user, after successful authentication or login.

User Device Registration

FIG. 2 illustrates the interactions between the user computing device and the authentication system, resulting in device registration, that may be required in order to perform multi-factor authentication using a security object, according to some embodiments. One prerequisite for this process, in some embodiments, would be for an administrator of the authentication system to enable a device registration on a per user basis for a particular domain or security grouping (e.g. for an entire enterprise, for a subset of users, etc.).

The registration process may be initiated by pointing the user computing device 110 to the authentication system to begin the device registration process. For example, this could be accomplished via the user being instructed to register their device via a browser based system. As another example, this could be accomplished via the user being instructed to register their device via a mobile application, for example, on an iPhone. Browser-based methods would not require any device control such as routing or administrative access on the user device but merely take the user to a self-enrollment process on the authentication system, for example through the authentication system's web interface. Registration may also not require any routing or administrative access on the mobile device by the mobile app.

Whether communication is performed through a browser, a mobile application, or a standard non-browser application, communication with the authentication system may be initiated through a redirect request, for example, web server 103 a may, when the user computing device 110 requests application or network resource access from the web server, that web server may require authentication. In some embodiments, the web server itself may perform authentication using a username and password by checking with enterprise directory 104 to authenticate the username and password. In addition, the web server app server may decide, if configured to do so, that an additional authentication factor is required in order to allow access to the requested web application or networked resource.

At this point, the web server may initiate or send to the user computing device a redirect request. This may be performed using a standard W3C mechanism, such as an HTTP meta-refresh or a header-based redirect mechanism. There are many redirect mechanisms that may be used in HTTP or other protocols as known by those skilled in the art. The redirect request may force the browser or other application program that is in communication with the web server 103 a to contact the authentication system.

A device registration system may be implemented by the authentication system 102. For example, the authentication system 102 may run a server program that could pull either a device ID that is preprogrammed on the device or run a script to pull device distinguishing specifics from the device. Examples of a device ID include a hard drive serial number, a mother board serial number, a network interface card serial number, an IP address, or other device ID.

In some embodiments, a security object may be created for the device. To create the security object, the authentication system may send a script to be run by the user computing device to request and/or retrieve any existing security object data and other device distinguishing characteristics from the device. Whether it is a security object or identifier that is received from the device or a security object that is created by the authentication system, the security object can then be stored in association with the user in an associated table. In addition, any characteristics that are collected may be stored and associated with the user. This association table could be stored in a standard LDAP or active directory such as that deployed on enterprise directory 104 or in some relational database such as SQL, which may be deployed in the cloud or on the authentication system or as local data storage. In some embodiments, the device can now be associated with the user by reference to this table.

An example of a first-time process that may be used to register a new user device 110 such as an iPhone, another type of mobile device, a desktop, a laptop, or an iPad, will now be described. With reference to FIG. 2, a user may attempt to access an application from a mobile device. The web server accessed may redirect the browser to the authentication system for device registration and/or an additional factor of authentication. As a part of this redirect (communication (1) 201), the user computing device may send information as redirected from, for example, web server 103 to authentication system 102 requesting an additional factor of authentication.

The authentication system may then conduct a configurable secure authentication (2) 202. This may involve one factor, two factors, three factors, or four or more factor authentication. For example, a first factor of authentication of the user computing device may be from a user ID and/or password. This may be authenticated by the authentication system by looking up/verifying the user ID and/or password in enterprise directory 104.

Alternatively, or in addition, a user computing device may be authenticated using a one-time password. For example, a one-time password may be sent from the authentication system to a user cellphone as discovered through either looking up the username in the enterprise directory, or passed in the redirected request to the authentication system (1) 201. This one-time password may then be sent from the user computing device over the web to the authentication system for verification (for example, the user may type in the one-time password in a web based form served by the authentication system). This verification may constitute an additional factor of authentication.

Other types of authentication may comprise a one-time password sent through an email. For example, an email address associated with the user may be looked up in enterprise directory 104 (or provided as a parameter via the redirect (1) 201). This email address may be used to send the user a one-time password. The one-time password may then be sent back to the authentication system either by typing the one-time password in a web-based form or clicking a link in the email that will send the one-time password back to the authentication system.

Another example would be a telephone call or help desk call initiated by the authentication system. The user may receive over the telephone the audio sound (spoken or spelled by a computer or help desk person) of a word representing a one-time password. This one-time password may then be typed into a form presented by the authentication system and used to authenticate and compare against the one-time password that was sent over the telephone. Thus, in 202 this authentication or initial authentication of the user computing device may take place.

Once the user computing device is authenticated in some manner (or if the user ID is provided by the redirect), the authentication system may now have knowledge of a user ID associated with the user using the user computing device 110. Upon successful authentication the authentication system may then send server based commands to the user computing device 110 to optionally retrieve a security object, a security identifier, and/or device characteristics from the user computing device (3) 203. As described above, the security object or security identifier may comprise, for example, data objects processed or received from existing smart cards identifiers, NFC object identifiers, Bluetooth object identifiers, OATH tokens (software-based), OATH tokens (hardware-based), and device characteristics. The device characteristics may include header information, fonts, plugin information, screen size, HTML5 storage facilities, IP address, cookie storage, and/or other unique characteristics (including browser settings) accessible by the program sent to the user computing device.

In communication (4) 204, user computing device executes the commands provided by the authentication system. These instructions may be JavaScript instructions, or any other type of programmatic command, such as flash instructions, or an installed executable binary. For example, this script/executable could comprise an installed mobile app that is installed on the user computing device if it is an IOS device or Android device (or other mobile device). The program or script may query the browser, OS, hardware, etc., or perform searches on the user's device such as searching its storage devices for particular information, to gather the characteristics. These characteristics are then sent back in communication (5) 205 to the authentication system, for example, as HTTP GET or POST parameters.

In one embodiment, the authentication system may create a security object or token to be associated with the user and/or the user's device. In one instance, the security object may be a value that is the result of a hash program being executed using some or all of characteristics. For example, the authentication system can concatenate together all, or a subset of, the collected unique characteristics of the user computing device 110. These concatenated characteristics may then be inputted into a hash program such as an SHA1 or MD5 hash program to produce a string that represents a security object. Any technique known in the art to produce a security object or token over a sequence or concatenation of data may be used to generate the security object. In some instances, the security object or token may be created without requiring any characteristics to be collected or retrieved from the device, and may not be a hash value.

In action (6) 206, after creating this security object or token, authentication system 102 then stores the security object to the local enterprise directory 104 or to local storage. This may include storing, in association with the user ID, in a table, such as SQL table(s) or to the enterprise directory, the security object value or token. The storage action may also include together, or separately, an association of each individual characteristic value collected from the device.

Once the security object has been created and the user has been authenticated, the user may then be redirected to the original target or requested resource, for example, web server 103 a. This would be the resource that originally redirected the user computing device to the authentication system 102 for an additional factor of authentication. This redirection may include an indication of authentication, such as an authentication token. This indication of authentication could be, for example, a cookie, or other data structure, stored by the user computing device's browser that indicates that that user was authenticated using an additional factor. The data structure may be in plain text, or encrypted (with either public/private key encryption or symmetric encryption) to enhance security, or could comprise a verifiable digital signature by the authentication system.

The authentication token data structure may also comprise an indicator of the additional factor(s) that the token is based on. For example, if it was a one-time password communicated through telephony used to authentication the user, then that factor may be indicated in the data structure. In the alternative it may also indicate that a security object was created and/or used during the authentication, and that is the separate factor.

The authentication token may also be used for access to additional network services in lieu of authenticating an additional time with the authentication system. This allows the network service, such as web server 103 a or app server 103 n, to trust the authentication token received from a prior authentication transaction with the authentication system. For example, when the user computing device accesses the web server or the application server initially, the authentication token from a previous session may be verified, and the user granted immediate access by the web/network service without having to perform another authentication exchange with the authentication system. For information regarding the single sign on feature and authentication token, including performing additional factors of authentication via a digital certificate, see U.S. Pat. Nos. 8,327,142, 8,301,877, 8,613,067, 8,510,816, and U.S. patent application Ser. Nos. 13/830,506, 12/948,037, 12/419,951, each of which are incorporated by reference herein in their entireties and are made a part of this specification.

User Device Validation

After registration, the user device 110's security object may be used as an additional authentication factor for verification of user credentials. For example, one authentication factor may be that the user device has been seen previously in association with a specific user ID. For example, on subsequent authentications, the authentication system may be able to map the user ID of a user to the security object of one of his stored devices, and compare that with the current device that is accessing the authentication system 102.

Such a mapping may be the result of collecting the user ID information from a form, or via a header from the redirect, or based on a received session cookie. For example, the user ID could be stored in an authentication token stored by the browser or be associated with an authentication token. For example, an authentication token's unique number may be stored in the authentication system as associated with the current user ID, which allows lookup of the current user ID. The authentication system may also be able to map the stored device ID. For example, if a device ID such as a hardware ID or a hard drive ID was collected, the authentication system store it in enterprise directory 104 and retrieve it in order to map the device to the user. In addition, the system is able to map the new device security object to the user ID such as by using a table as described herein during the registration process.

Each time the network service requires the additional factor of authentication and redirects the user computing device to the authentication system, the authentication system may request the user computing device 110 to run the script/instructions and provide the characteristics unique to the authentication system 102. The authentication system 102 may then, each time the additional factor authentication is required, determine or identify the device's security object and compare it to the known security object for the computing devices associated with the user authenticating. This comparison may be implemented via the tables and associations described above.

If the security object matches a device known to the user and registered to the user, then the user may never actually see any webpages associated with the authentication system. Instead, the authentication system will accept the provided characteristics as the additional factor of authentication and merely redirect the user computing device back to the network service. This redirection may be accomplished using, for example, a browser redirection instruction as noted in the W3C standards, which may be done in HTTP headers or other methods known in the art. In this manner, the user of the user computing device may never see any webpages associated with the authentication system and the additional authentication provided by the authentication system will seem seamless to the user.

In some embodiments, upon redirection the user device 110 may already have an authentication token. The authentication token, for example, may be a session based ticket installed in the browser that can be received by the authentication system and used to pull the user ID from the session based ticket. This user ID or any ID that is used across session-based tickets may be mapped to the device table either in enterprise directory 104 or located within the authentication system or in the cloud to determine whether the device is associated with the user.

If this device is on the list of trusted devices of the user, in other words, it has a registered security object, then the user is allowed to access the new network resource through the redirect.

This trust and seamless access may be accomplished across multiple network services or network applications (e.g., single sign-on may be supported). For example, the user computing device 110 may complete registration of the device security object after redirection from one network service its user device. At this point in some embodiments, it may have an authentication token indicating that a user computing device has completed the additional factor of authentication. When the user computing device and its browser browses to a second network service and contacts the second network service, then the user computing device may be redirected back to the authentication system for additional authentication like was done with the first network service.

However, because the user computing device is already registered, the user computing device may be immediately redirected to the second network resource because of the match found of the security object to the user's associated devices. In this manner, a single sign-on may be allowed for the user computing device. In other words, once the user computing device is registered, the user computing device need not login to the authentication system to provide the additional factor, and instead may simply provide its unique characteristics to the authentication system(s) to enable single sign-on technology. In other embodiments, a second authentication factor may be used to further authenticate the user.

For example, FIG. 4 illustrates the interactions between the user computing device and the authentication system during validation. Once the device is registered to the device subsequent authentications appear seamless and low-friction for the user. In FIG. 4 the user computing device in communication (1) may be redirected to the authentication system for an additional factor of authentication. For example, the user may attempt to access the network service or the web service on web server 103 a from a desktop or a mobile device represented by user computing device 110, and is redirected to authentication system 102 for authentication or for an additional factor of authentication.

The user may then supply its enterprise credentials, for example the user may supply a user ID and/or password or certificate or any other factor of authentication such as a one-time password to the authentication system. These types of credentials of the user or the user computing device may be authenticated via the enterprise directory. For example, the username and password may be sent to the enterprise directory for verification. The credentials such as username and password, or a certificate based signature, may be sent to the enterprise directory for validation or the enterprise directory may be queried for information that may be used to authenticate the username and password or certificate or other password or other additional authentication information.

In communication (3) the authentication system sends instructions to the user computing device to gather and collect security object information and optionally unique device characteristics about or associated with the user computing device. An example list of such characteristics is disclosed herein. In communication (4), the security object information and (optionally) characteristics are sent back to the authentication system.

This security object information is then compared with other security objects of other devices that are associated with the user ID in the data store that previously authenticated. These can be queried from the enterprise directory or based on a table in the authentication system. If a match is found, the authentication system counts it as a successful second factor authentication, and therefore no additional authentication factor is required such as SMS telephony, or knowledge based authentication. In communication (5), the authentication system may then return an authentication token that provides single sign-on to the user device for access to the network service which may be a cloud, web, or mobile resource. This authentication token may be accepted by other network services in lieu of requiring an additional factor of authentication.

Two Factor Persistent Authentication System

In some embodiments, no user ID or password, or other user information need be stored in the cloud or in association with the authentication system 102, at least initially. Instead, the authentication system, which in some embodiments may be deployed as a cloud service, may be able to receive user ID/identification and profile information dynamically when additional factor authentication is required. The authentication system 102 will have a variety of supported one-time password mechanisms, but instead of storing username and password information it will instead be able to create, store, and validate device security objects to provide on the fly a second factor of authentication for authentication that has already occurred, such as username and password authentication by the network service, web service, or application service itself.

Similarly, in some embodiments the registration process and validation process may occur at the same time. Such a service may be designed to facilitate and easily integrate a solution for a second factor of authentication for enterprise applications, enterprise network resources, cloud-based resources, and native mobile applications. This solution is designed to integrate into existing environments.

For example, the web service can use its current authentication mechanism such as a local LDAP server or active directory, to authenticate a user based on the enterprise's user information stored in those directories (e.g. using a password or a certificate). In addition to this local authentication, the web service could also redirect the user to the authentication system. This may be done through browser redirects governed by conventional and readily accepted browser standards such as the W3C standards.

FIG. 5 illustrates one embodiment of a system for persistent authentication of an additional factor, in this case a security object. This embodiment's configuration has the authentication system 102 directly connected to the Internet, and not deployed within the enterprise's network.

In communication (1), the user attempts to access the target application or resource. For example, the target may be a web application, a network resource, or a software-as-a-service (SaaS) cloud application, or a native mobile application. The application may then conduct a standard authentication of user ID and password using its preexisting client server dialogue. For example, it may utilize existing data connectors to its on premise data stores such as enterprise directory 104 that may run active directory LDAP, SQL, or other data storage and user information repositories. If the target is configured to require an additional factor of authentication such as a second factor, the web server may redirect the user's user device 110 to the authentication system 102 (2), which in this scenario may be located in a cloud service.

The cloud service/authentication system 102 and the web pages on the authentication system may be configured to have the same look and feel of the target application. For example, the authentication system 102 may serve web pages with the same look and feel as the enterprise running the target application, and may have an authentication workflow that may be configured by the enterprise running the target application. This may be done through a configuration user interface that is accessible by the enterprise through the cloud to configure the look and feel of the authentication interface for its enterprise users (e.g., based on IP address, IDs in the redirect information, etc.).

The entity that requested authentication, for example the target application, may send, via the redirect to the authentication system 102, information requesting authentication using an additional device-based security object factor. For example, it may send a cookie or other token to the user computing device that may then be sent from the user computing device to the authentication system, and may comprise a number of different elements and information. Alternatively, the information may be passed in a URL parameter in the redirect URL itself. For example, the redirect could use a number of HTTP GET/POST parameters to transmit such information.

No matter the method of transmission, the information sent from the network resource to the authentication system 102 may comprise, for example, a user identifier such as a user ID, an email address associated with the user of the user device, a telephone number associated with the user or the user device, an SMS number associated with the user of the user device or the user device a push number or a pin. In the alternative, it may include any other dynamically retrieved information from the enterprise data source that may be used by the authentication cloud service to identify or contact a user.

Similar to FIG. 4, the authentication system 102 may be able to send instructions to the user computing device in communication (3) to gather and collect security object data and, optionally, device information. This information may then be sent back in communication (4) to the authentication system. The types of information collected is similar to that described above under registration, and may include browser information, screen resolution, fonts installed, etc.

In communication (5), using the information collected, the authentication system access its local data store to determine whether the security object data received matches and has already been associated with the user ID received directly or indirectly from the enterprise resource that was attempting to be accessed.

If a match is made, then a successful authentication token may be sent back to the authentication calling product. In this example, it is web server 103 a which is an enterprise network resource that is using the authentication system 102 to perform an additional factor of authentication. This authentication token may be sent back to the user computing device for storage in its browser. The user computing device may then, in communication (7), send this information to the web server to prove that it has performed the additional factor of authentication.

If the user device was not matched either based on its security objects retrieved from the user device for this session, then the user may be forced to authenticate using an additional factor of authentication. In this case, a one-time password mechanism may be used. For example, an SMS message that may be sent to the user's phone; a telephone call may be made to the user's phone, whereby an audio voice describes a one-time password to be used; an email message may be sent, whereby the email message may include a link to verify that the email message was received (this email link may trigger the user computing device's browser to go to a specific web page that is provided by the authentication system); a push notification may be sent to a push number for the user; and so on. After the user authenticates using the additional factor, a security object may be created by the authentication system and associated with the user computing device. The security object may then be provided to the user computing device, and the authentication token may be returned back to the calling party as described above.

In any case, the authentication system 102 directly or indirectly communicates with the user and conducts the delivery of the one-time password in an out-of-band channel. For example, the one-time password, before being sent to the user, regardless of the method that it is being sent to the user, may be stored by the authentication system. It may be a randomly generated string. Once communicated to the user, this randomly generated string may then be returned by the user computing device to the authentication system through the web and may be compared to the stored one-time password that was originally sent. If they are the same then the additional factor of authentication is successful.

Other factors of additional authentication besides a one-time password may be a USB key that has a verifiable unique device ID that must be plugged into the user's device 110, or an NFC card that may be in communication with the user computing device 110. In addition, it may be a certificate for which the user computing device has access to the public key, or may be associated with a user ID of a user that is operating the user computing device.

If the one-time password authentication is unsuccessful or other authentication mechanisms are unsuccessful, a web token may be returned to the user computing device which may then be redirected back to the web server indicating an unsuccessful authentication.

This additional factor authentication is represented in FIG. 5 via the two-way “additional factor” communication indicated as being communicated between the user computing device 110 and authentication system 102.

If the one-time password authentication or other additional factor authentication is successful, the device security object and/or its unique characteristics that were collected may then be stored locally in the cloud service within the authentication system 102 and be associated in a table with a user ID. Multiple devices and security objects may be associated with a single user. This allows an additional factor of authentication to occur, in other words, using a security object of the device, which was previously authenticated by the user via a one-time password, to skip additional one-time password authentication steps in the future. The additional security object factor going forward is the look up the user ID in the table, comparing the security object values that are stored in association with the user ID to a currently collected security object value, and determining if there is a match. If that is the case, then any one-time password authentication may be skipped.

If the one-time password or other additional factor authentication is successful, then in communication (6), the successful result may be communicated back to the user computing device 110. The communicated indication may denote that a successful additional factor of authentication has occurred, and/or name the specific successful additional factor. The user computing device then returns this authentication token in communication (7) to the network service that was being originally accessed in communication (1). That service then examines the token and verifies its, using, for example a cryptographic method if necessary. The network service (e.g. web server 103 a) may then allow the user computing device access to its resources.

In some embodiments, the enterprise deploying the network service that requires the additional factor authentication may pick and choose what type of authentication is required. For example, the one-time passwords that may be used in order to register a device security object may be selected based on any requirements that a particular enterprise has. The enterprise may use a user interface deployed on the authentication system, such as authentication system 102 in the cloud, to indicate to the authentication system that a specific one-time password type of distribution such as email, voice, push notification, or SMS has been chosen for us.

In addition, using the same user interface they may specify the look and feel of the authentication that is taking place. For example, each webpage that asks for the one-time password may use style sheets or other template frameworks used by the enterprise and their own web services to be displayed in the pages that the authentication system presents to the user.

These pages and/or styles may be uploaded through the user interface tool or dynamically downloaded from the authentication system from the enterprise for each web page that is being run on the authentication system. For example, the authentication system may be configured to download the template from the web server using a normal HTTP or HTTPS request from the user computing device 110, or may configure its web pages to instruct the user computing device 110 to download and display these style elements directly through the web server 103 a.

In addition, the enterprise may be able to configure the authentication system such that multiple one-time passwords may be required to register the security object. For example, an enterprise may require that both an SMS one-time password and an email link one-time password must be used before registration of the security object is effective. In addition, other additional factors besides one-time passwords, such as a certificate that is associated with the user computing device and/or the user. For more details on how to use the certificate for an additional factor of authentication, see the applications incorporated by reference herein.

In addition, the authentication system may determine whether persistency of the authentication token is allowed. For example, the authentication may be used as a single sign-on token that may be presented to other network services that accept the token. In this embodiment, the additional network service may accept the token in lieu of performing any other additional factors of authentication. In a different configuration, the authentication token may not be used by other network services, and additional one-time passwords and/or verification of the security object or matching of the characteristics must be performed by the authentication system before other network services can be accessed by the user computing device 110. In addition to the cloud deployment embodiment, this additional factor type of authentication may be deployed directly in the enterprise. For example, authentication system 102, instead of being connected to the Internet in order to communicate with the enterprise, may be deployed directly in the enterprise's network and may be configured by the enterprise administrators separate from any third party cloud administrators.

FIG. 6 illustrates an embodiment similar to FIG. 5, in flow chart form. User device 110 requests a service from a resource associated with an enterprise. In 602 this request is sent to the app or web server, for example 103 a to be handled. App or web server 103 a then determines 604 whether the user and/or the device is authenticated and, if not authenticated, may redirect to the authentication system with optional parameters. For example, the app or web server may authenticate the user device using a username and password. However, it may also require an additional factor of authentication.

To satisfy this additional factor of authentication, the app or web server may, via an HTTP redirect, redirect the user device to the authentication system to handle the additional factor of authentication 606. As part of this redirect it may insert optional parameters to be sent to the user device to be forwarded to the authentication system using the redirect mechanism. For example, these optional parameters may be a user ID or any indicator of a user associated with the resource attempting to be accessed, such as an email address, a telephone number, an SMS number, a cell phone number, a push information number or mobile app push token value, a password or pin, or any other dynamically retrieved information from the enterprise data storage that can be used by the authentication system to perform authentication of an additional factor. In some instances, if a security object already exists and is associated with the user device 110, the security object (or an associated security identifier) may also be provided to the authentication system.

In block 608, the authentication system may create a security object based on the device characteristics. If a security object or identifier was provided with the authentication request, the authentication system may attempt to match the security object with another security object stored in a table in association with the user ID that is to be authenticated. In block 610, if there is a match with another security object stored in a table in association with the user ID that is to be authenticated, then the authentication system 102 may generate and create an authentication token, store a record of the authentication token and/or that the token was created, and link it to the user ID. Then, that token may be sent 616 to the user device for storage by its browser in data storage on the user device 110.

This authentication token may then be sent to the web server 103 a to be processed 618 by the web server 103 a. If the authentication token is authentic, which may be protected by cryptography as described herein, it may be accepted by the app web server 103 a and then the user device would be allowed access to the network service provided by the web server 103 a.

On the other hand, in block 610, if a matching security object is not found or if a new security object has been created (for example, if no security object has been established yet for the user's device), then a one-time password authentication or any other additional factor of authentication may be required before sending the authentication token to the user device. In this scenario, in block 612, the authentication system 102 and the user device 110 perform a one-time password validation as described herein. Any form of additional authentication may be used. This exchange usually comprises the authentication system sending the one-time password over one of the SMS, telephony, push notification, or email channels for example, and the user device sending that information back through its web browser to the authentication system 102 to verify that the user device received the one-time password.

Once this is done, the security object that was created for matching is stored in association with the user ID of the user device in the authentication system (for example, in the cloud). In other embodiments, this may be stored elsewhere, for example, in the enterprise data store 104. This association allows additional later verification of security objects without having to perform the one-time password additional authentication factor. At this point, an authentication token may be generated by the authentication system 102. User device 110 may receive the authentication token which may be sent to application web server 103 a for processing 618 as described above.

As described in this disclosure, in some embodiments the authentication system may also be able to convert the security object or token to a form that may be accepted by the app/web server 103 a, if required. For example, the web server 103 a may not be enabled to accept or process the authentication security object. For example, the user may have registered a NFC object or a mobile device to his user account, and then authenticated with the authentication system. The authentication system would then be able to assert this object to web server 103 a, depending on the nature or type of the web server 103 a. For example, the app/web server 103 a may be a web server (e.g., SharePoint, J2EE web server, Apache/Tomcat, etc.); a cloud service (e.g., Google Apps, Microsoft Office 365, Salesforce, etc.); a network resource (e.g., Juniper VPN, Cisco ASA VPN, F5 BigIP network proxy, etc.); and/or mobile apps (e.g., apps for Android, IOS, Windows, browser apps/extensions, etc.). Each of these variations may accept different types of security objects or tokens. The authentication system may use some of the parameters associated with the redirect request to determine the type of the web server 103 a and convert the security object and/or authentication token into an appropriate or acceptable format for processing by the web server 103 a.

Thus, for example, when a successful authentication of the mobile device and the user is made, the authentication system can determine an identity assertion format acceptable to the first network resource (for example, by locating the identity assertion format associated with the web server 103 a in a stored mapping of a plurality of network resources to a plurality of identity assertion formats); create an identity assertion object related to the user in the determined identify assertion format, the identity assertion object being distinct from the security object and the object identifier; and provide, to the web server 103 a, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the web server 103 a.

As one example, web server 103 a may be a SharePoint server that may not accept the registered authentication token (e.g., NFC Proxy Card, Smart Card, X.509 cert, etc.). Instead, the authentication server/service may conduct the security object authentication described above, and then provide an appropriate SSO token (web or other) to the web server 103 a. For example, the SSO token could be in the form of a SAML, WS-Fed, OpenID, URL GUID, or some other accepted/predetermined object. The SSO token may be configured on a per resource basis, and may be different for each type of web server 103 a. For example, a mapping of resources to entities, apps, and/or web servers may be stored or readily accessible in a directory by the authentication system.

Device Inventory

After registration of the user device 110, in some embodiments, authentication system 102 presents the option for administrators of authentication system 102, enterprise administrators, and/or the users themselves to see which devices have been registered in association with the user.

The devices may be named in the authentication system's database or in enterprise directory 104, including, for example, names like for example Windows 7, Android 4.3 Jellybean, OS10.8, Jimmy's Office Machine, Elena's Apple Tablet, or any other name that may have significance to describe the device, indicate ownership of the device, or any other name ascribed to the device by the user or the administrator. Users and administrators may login to the authentication system 102 to view the inventory of their current user devices that have associated security object characteristics and security objects with their user devices.

From this inventory, the user or admin can see what devices have been registered and when the security object was created. For example, each device along with the name may be displayed in a webpage user interface with a date. That date may signify either one of: the date that the security object and/or device characteristics of that device were collected and associated with the user, or it reflect the date that the security object and/or characteristics for that device were last used in the authentication system 102 database. This information would be stored in a database associated with the user ID or any identifier associated with the user. The database could be the same data store, for example, an active directory, SQL database, etc., or it could be a separate data store with associated key values aiding in the mapping and referencing of the user ID.

For example, an SQL database implemented within the authentication system may store in a table a user ID, and an associate with that user ID, in a table row, a key to or the name of the user device along with any characteristic data that may be stored in that table, or in other tables linked to that table. Alternatively, in active directory, the user ID's person entry or person object may store in association with that user, the security object value of the user device, along with its name and most recent date of updating or creation, in addition to, in some embodiments, user device characteristics for that device. This allows the authentication system to easily query either an SQL database or LDAP to determine what user devices are associated with the user ID, and use those listed devices and associated devices to manage the device inventory and/or validate user devices requiring authentication by using this additional factor—the security object.

Device Revocation

As a part of the management of the security objects and user devices described above, devices associated with the user may be revoked. Revocation is a broad term, and encompasses its plain and ordinary meaning, and may comprise removing the association between a user ID and a security object, and/or removing the association between the user ID and the stored device characteristics that the security object is dependent upon, in order to remove that user device as a device that proves an additional factor of authentication.

For example, a user interface to manage user computing devices that are associated with users may provide the ability for users to review and revoke the devices associated with the specific user. This revocation may be performed on an individual basis, for example, by selecting one or more devices to revoke. Or, this revocation could be done for all devices of a user at the same time. The selection of which devices to revoke may be indicated to the authentication system using a variety of parameters that may be based on web based form input such as a check box to indicate whether a device should be revoked. For example the check box can be configured so that if the check box is checked, the device should be revoked, or if the check box is unchecked the device should be revoked, depending upon the embodiment. Likewise, a button or other indicator within a web form could indicate that all devices for users should be revoked.

This configuration user interface may be displayed along with the device name, a date for either registration or the last update of that device, in addition to zero or more characteristics of that device that may be displayed alongside the device name. This system would give both users and administrators a web-based console to view which devices are associated with the user, and to revoke any devices that the administrator or user no longer want to allow as being sufficient to provide an additional factor of authentication.

In some embodiments, the name of the device may be automatically generated. For example, it may use a characteristic, such as the operating system, to automatically name the device for the user or administrator. This name may be altered later in the user interface by the user or administrator. For example, the device name may be the operating system of the device such as Windows 7, alone or in conjunction with other characteristics, such as the browser and its version, the version of the operating system, or any of the characteristics that are collected by the authentication system's capture script.

When a user or administrator logs into the authentication system to configure or revoke their associated security objects, the authentication system 102 may query its local data storage or the enterprise directory for the listed devices to display. The authentication system 102 may also send a web user interface to the user computing device 110 for display to the user or administrator. Once the user has interacted with these pages, the authentication system 102 may be sent a subset of information, based on the forms presented, to act upon, including updating names or revoking one or more registered devices.

The revocation is in some embodiments a graphically user interface controlled action of unclicking the check box next to the name of the registered device and then selecting a button such as a “revoke selected devices” button. The devices can be revoked individually or all associated to a user.

For example, FIG. 6 illustrates an example web page user interface that a user or an administrator could use to revoke the security objects associated with their user account, or any user account if it is an administrator. The web page user interface may list all digital security objects associated with the user ID. For example, user interface feature 712 shows a user computing device security object called “X.509 Certificate.” If the user unchecks the check box associated with security object 712 and updates their associated security objects by clicking the update button 714 then the browser on the user computing device would send an HTTP or HTTPS message to the authentication system to indicate that that security object should no longer be associated with that user ID or should be deleted.

This may mean that any device that has that security object will no longer be associated with that user ID, as the authentication system may act on the message and disassociate that security object with the user ID and/or delete the security object. In the future when that user computing device attempts to use the authentication system to prove that an additional authentication factor has been satisfied, that user computing device must perform the registration process again and will not automatically be issued a successful authentication token.

This interface may also be used by the user to set up additional user based information that can be used for additional authentication mechanisms, including, for example, knowledge-based question-and-answer mechanisms. In form 702, for example, appears a configurable question, for example, “what is the last name of your favorite school teacher” or 704 “what is the name of your favorite childhood pet” or 706 “what was the model of your first car.” These are examples of knowledge-based questions with associated, configurable, answers, which can be supplied to the authentication portal for the user as an additional authentication factor. Thus, like the email, SMS text, push notification, and telephony one-time passwords, the answers to these questions when that question is prompted by the authentication system may be treated as an additional authentication factor, which, like the other one-time password methods, may be used to register a security object of a device as an additional authentication factor.

FIGS. 7A and 7B illustrate possible user interfaces for an administrator to delete and/or revoke device security objects associated with a user. For example, 802 shows a user interface that may be used to search for a specific user ID. When the search results are returned it may display information about that specific user ID such as the form shown in FIG. 7A, or a list of possible users based on search match criteria. If one is selected then the user interface similar to FIG. 8 may be displayed. The user interface in FIG. 7A allows for modification of user information, for example the user information shown in 804 including name, first and last, phone, cell phone or a variety of phone numbers, email address or a variety of email addresses, knowledge-based questions and answers, the maximum number of certificates that can be associated with a user, and an a list 808 of security objects for user computing devices associated with a specific user.

Like in FIG. 6, as discussed, an administrator can, by either resetting all security object registrations or resetting individual registrations via unchecking a box, as one example, revoke one or more user computing device registrations. For example, the authentication system 102 may support a user interface that could indicate to the authentication system a selection of one or more devices, and, based on that selection, disassociate the one or more selected devices with the user. In essence, revoking the device and forcing that device's user, if that device is ever used again, to re-register that device as an additional authentication factor. For example, if in FIG. 8 the reset all registrations button was sent by an administrator, that would cause the authentication system to execute a revocation of all devices associated with that user. This would cause all devices associated with that user to be re-registered if they are to be used as an additional authentication factor.

FIG. 8A illustrates in one embodiment how a user may manage and/or revoke their devices. In FIG. 8A, a user may wish to revoke one or all of the devices associated with his account. In order to begin the process of managing his devices, the user may browse to the configuration web page via a link to the authentication system web server. The web server may require authentication of the user in order for that user to access the management web pages 904. User authentication this may be performed using any of the methods described herein including security object device authentication, username and password authentication, one-time password authentication, certificate based authentication, or any of the other methods described herein, or those well known in the art, or are incorporated by reference.

Once the user authenticates, the authentication system will use the user ID that is associated with the authentication to retrieve the list of security objects and devices. This may involve querying, based on user ID, the data store containing the associations registered devices.

In block 906 the authentication system may send to the user the list of retrieved devices as a part of a user interface to select and to initiate requests for revoking devices through the web. The user using the user computing device 110 may receive the list of devices and select one or more of the devices or indicate that all of the devices are to be revoked. This selection may then be sent via the web over the Internet or any local area or wide area network to the authentication system. The authentication system in block 908 will then receive the selection of device or devices to revoke including possibly all the devices to revoke. The authentication system may then delete the association between the user and the devices selected or all the devices if indicated to remove all the devices. Once that association is broken in block 912, the user will not be able to use the security object or any of the characteristics associated with the device to provide an additional authentication factor for enterprise applications unless the user once more goes through the registration process as described herein. Thus, in block 912, the user is denied future authentication based on the revoked device due to the revocation of the registration.

FIG. 8B illustrates a method for an administrator to access the authentication system to search for a user and delete/revoke associations between the searched for user, and one or more of the user's devices.

In block 922, the administrator authenticates using the same methods as described for block 904 for a user to authenticate. Unlike the user, the administrator's account may be indicated to have administrative rights above and beyond a normal user. This allows the administrator access to a set of web pages or functionality not normally authorized to a standard user, including querying other users and modifying the devices associated with those other user's accounts. Permission may be set up on a per enterprise basis, per user group basis, or any basis well known in the art. The administrator may then, such as by using the user interface described in FIG. 8, query the authentication system by typing in a user name, a partial user name, or any information associated with the user to search for a user. The authentication system may then perform the searching and return to the administrator a list of users to select. The administrator may then use the web server interface to select one of the users returned in the results and have the selection be sent back to the authentication system, upon which, in block 926, the authentication system may send to the administrator a list of devices associated with the selected user. An administrator may select one or more of the devices to revoke or may select all the devices to revoke in block 928. In block 930, upon receiving the selection of one or more devices or all devices to revoke, the authentication system may delete the association between the user and the device or devices. Once this is done, the user whose devices were deleted may not use those deleted devices for an additional authentication factor because they have been revoked. Instead, the user must re-register those devices using techniques described herein. In other user interfaces, additional options may be made available for the configuration of the security object mechanisms which may be implemented by the authentication system 102. For example, the administrator may specify a length of time to store the security object. For example, if 0, there is no expiration date. If more than 0, then that would be the length of time in days that all security objects would expire. In some embodiments this means the length of time that a security object would expire if not seen within that period of time. In other embodiments it may mean that the security objects would expire regardless of whether they have been reused within a certain period of time.

As another configuration option, the security object expiration length since last access may be specified. This value may instruct the authentication system to unregister a security object if that security object has not been used within a certain amount of time. As another configuration option, a mode may be specified for security objecting. For example, a cookie may be used to store the security object directly on the user computing device (like a stored security object cache). On the other hand, no cookie may be used and the security objects may be created every time there is an access. Other cookie parameters may also be calculated such as the name prefix of the cookie and the cookie length in box 1012. This length would be the number of hours before the security object/cookie expired on the user computing device. As another configuration option, the security objects may be configured to require a match between a cookie and a created security object. If unsuccessful then re-registration may be required if this feature is turned on.

As another configuration option, a feature may be configured that mandates only one security object cookie allowed per device or browser instead of multiple security object cookies. If this is enforced, a new security object cookie would replace a previous cookie that has a different security object value. As another configuration option, the maximum length of security objects recorded by the authentication system may be specified, for example in order to limit how much history can be stored and registered for a particular user. If a user exceeds the maximum number of devices that may be registered to it, then the older devices in some embodiments may be removed when a new device is registered. Just as administrators can set preferences for all individual users on the authentication system, administrators may also set preferences on a per authentication realm basis. These preferences may also establish the distinct requirements for individual applications, such as a web application, or individual requirements for a certain authentication realm. For example, if Google deployed this system as a cloud service, then certain configuration preferences may be applicable only to google.com domains, and not to, for example, oracle.com domains.

Although the embodiments above described using the system and methods herein with web data and web page data, the same authentication principles may be used for other types of applications including standalone desktop applications, such as a network application like Microsoft Outlook, or may be used on mobile devices, for example, mobile device app such as an iPhone app may be redirected by a network service to authenticate an additional factor with the authentication system. This mobile application may communicate with the authentication system and may collect statistics or characteristics of the mobile device similar to the browser. Alternatively, this mobile application as described in applications incorporated by reference herein may use a browser to negotiate the authentication token to be consumed and sent to the network service attempted to being accessed by the mobile application. In either scenario, the mobile application may send characteristics to the authentication system for security object creation by the authentication system, and be stored for future use. Thus, when the mobile application is used in the future, the additional authentication factor such as certificate based authentication, one-time passwords, knowledge based authentication, YUBI key, or USB key based authentication, need not be performed—and instead the security object can be used in lieu of these additional factors of authentication as described herein.

Example Implementation System

FIG. 9 is a block diagram that illustrates a computer system 1200 upon which the various systems, devices, and/or methods discussed herein may be implemented. For example, some or all aspects of computing system 1200 may be included in any of web server 103 a, app server 103 n, user computing devices 110, and authentication system 102. Computer system 1200 includes a bus 1202 or other communication mechanism for communicating information, and a hardware processor, or multiple hardware processors, 1204 coupled with bus 1202 for processing information. Hardware processor(s) 1204 may be, for example, one or more general purpose microprocessors.

Computer system 1200 also includes a main memory 1206, such as a random access memory (RAM), cache and/or other dynamic storage devices, coupled to bus 1202 for storing information and instructions to be executed by processor 1204. Main memory 1206 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 1204. Such instructions, when stored in storage media accessible to processor 1204, render computer system 1200 into a special-purpose machine that is customized to perform the operations specified in the instructions.

Computer system 1200 further includes a read only memory (ROM) 1208 or other static storage device coupled to bus 1202 for storing static information and instructions for processor 1204. A storage device 1210, such as a magnetic disk, optical disk, or USB thumb drive (Flash drive), etc., is provided and coupled to bus 1202 for storing information and instructions.

Computing system 1200 may include modules configured to perform the authentication processes described herein. These modules may be stored in a mass storage device as executable software codes that are executed by the computing device(s). This and other modules may include, by way of example, components, such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables.

In general, the word “module,” as used herein, refers to logic embodied in hardware or firmware, or to a collection of software instructions, possibly having entry and exit points, written in a programming language, such as, for example, Java, Lua, C or C++. A software module may be compiled and linked into an executable program, installed in a dynamic link library, or may be written in an interpreted programming language such as, for example, BASIC, Perl, or Python. It will be appreciated that software modules may be callable from other modules or from themselves, and/or may be invoked in response to detected events or interrupts. Software modules configured for execution on computing devices may be provided on a computer readable medium, such as a compact disc, digital video disc, flash drive, magnetic disc, or any other tangible medium, or as a digital download (and may be originally stored in a compressed or installable format that requires installation, decompression or decryption prior to execution). Such software code may be stored, partially or fully, on a memory device of the executing computing device, for execution by the computing device. Software instructions may be embedded in firmware, such as an EPROM. It will be further appreciated that hardware modules may be comprised of connected logic units, such as gates and flip-flops, and/or may be comprised of programmable units, such as programmable gate arrays or processors. The modules or computing device functionality described herein are preferably implemented as software modules, but may be represented in hardware or firmware. Generally, the modules described herein refer to logical modules that may be combined with other modules or divided into sub-modules despite their physical organization or storage

Computer system 1200 may implement the techniques described herein using customized hard-wired logic, one or more ASICs or FPGAs, firmware and/or program logic which in combination with the computer system causes or programs computer system 1200 to be a special-purpose machine. According to one embodiment, the techniques herein are performed by computer system 1200 in response to processor(s) 1204 executing one or more sequences of one or more modules and/or instructions contained in main memory 1206. Such instructions may be read into main memory 1206 from another storage medium, such as storage device 1210. Execution of the sequences of instructions contained in main memory 1206 causes processor(s) 1204 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions.

The term “non-transitory media,” and similar terms, as used herein refers to any media that store data and/or instructions that cause a machine to operate in a specific fashion. Such non-transitory media may comprise non-volatile media and/or volatile media. Non-volatile media includes, for example, optical or magnetic disks, such as storage device 1210. Volatile media includes dynamic memory, such as main memory 1206. Common forms of non-transitory media include, for example, hard disk, solid state drive, or any other magnetic data storage medium, a CD-ROM, any other optical data storage medium, any physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip or cartridge, and networked versions of the same.

Non-transitory media is distinct from but may be used in conjunction with transmission media. Transmission media participates in transferring information between nontransitory media. For example, transmission media includes coaxial cables, copper wire, and fiber optics, including the wires that comprise bus 1202. Transmission media can also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications.

Various forms of media may be involved in carrying one or more sequences of one or more instructions to processor 1204 for execution. For example, the instructions may initially be carried on a magnetic disk or solid state drive of a remote computer. The remote computer can load the instructions and/or modules into its dynamic memory and send the instructions over a telephone line using a modem. A modem local to computer system 1200 can receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal. An infra-red detector can receive the data carried in the infra-red signal and appropriate circuitry can place the data on bus 1202. Bus 1202 carries the data to main memory 1206, from which processor 1204 retrieves and executes the instructions. The instructions received by main memory 1206 may optionally be stored on storage device 1210 either before or after execution by processor 1204.

Computer system 1200 also includes a communication interface 1218 coupled to bus 1202. Communication interface 1218 provides a two-way data communication coupling to a network link 1220 that may be connected to any other interface and/or network, for example network 120 of FIG. 1. For example, communication interface 1218 may be an Ethernet interface, integrated services digital network (ISDN) card, cable modem, satellite modem, or a modem to provide a data communication connection to a corresponding type of telephone line. As another example, communication interface 1218 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN (or WAN component to communicate with a WAN). Wireless links, such as 802.11 or microwave, may also be implemented. In any such implementation, communication interface 1218 sends and receives electrical, electromagnetic, or optical signals that carry digital data streams representing various types of information.

Network link 1220 typically provides data communication through one or more networks to other data devices. For example, network link 1220 may provide a connection through one or more local or non-local networks to host computers or other data equipment operated by an Internet Service Provider (ISP).

In an embodiment, the network link 1220 may provide data communication services through the world wide packet data communication network now commonly referred to as the “Internet.” Communication may be accomplished through the user of, for example, electrical, electromagnetic, and/or optical signals that carry digital data streams. The signals through the various networks and the signals on network link 1220 and through communication interface 1218, which carry the digital data to and from computer system 1200, are example forms of transmission media.

Computer system 1200 may send messages and/or receive data, including program code, through the network(s), network link 1220 and communication interface 1218. In the Internet example, a server or other computer-enabled device or system may transmit a requested code for an application program through one or more networks and/or communication interface 1218.

Each of the processes, methods, and algorithms described in the preceding sections may be embodied in, and fully or partially automated by, code modules executed by one or more computer systems or computer processors comprising computer hardware. The processes and algorithms may be implemented partially or wholly in application-specific circuitry.

The various features and processes described above may be used independently of one another, or may be combined in various ways. All possible combinations and subcombinations are intended to fall within the scope of this disclosure. In addition, certain method or process blocks may be omitted in some implementations. The methods and processes described herein are also not limited to any particular sequence, and the blocks or states relating thereto can be performed in other sequences that are appropriate. For example, described blocks or states may be performed in an order other than that specifically disclosed, or multiple blocks or states may be combined in a single block or state. The example blocks or states may be performed in serial, in parallel, or in some other manner. Blocks or states may be added to or removed from the disclosed example embodiments. The example systems and components described herein may be configured differently than described. For example, elements may be added to, removed from, or rearranged compared to the disclosed example embodiments.

Conditional language, such as, among others, “can,” “could,” “might,” or “may,” unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements, and/or steps. Thus, such conditional language is not generally intended to imply that features, elements and/or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without user input or prompting, whether these features, elements and/or steps are included or are to be performed in any particular embodiment.

The term “comprising” as used herein should be given an inclusive rather than exclusive interpretation. For example, a general purpose computer comprising one or more processors should not be interpreted as excluding other computer components, and may possibly include such components as memory, input/output devices, and/or network interfaces, among others.

Any process descriptions, elements, or blocks in the flow diagrams described herein and/or depicted in the attached figures should be understood as potentially representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process. Alternate implementations are included within the scope of the embodiments described herein in which elements or functions may be deleted, executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those skilled in the art.

It should be emphasized that many variations and modifications may be made to the above-described embodiments, the elements of which are to be understood as being among other acceptable examples. All such modifications and variations are intended to be included herein within the scope of this disclosure. The foregoing description details certain embodiments of the invention. It will be appreciated, however, that no matter how detailed the foregoing appears in text, the invention can be practiced in many ways. As is also stated above, it should be noted that the use of particular terminology when describing certain features or aspects of the invention should not be taken to imply that the terminology is being re-defined herein to be restricted to including any specific characteristics of the features or aspects of the invention with which that terminology is associated. The scope of the invention should therefore be construed in accordance with the appended claims and any equivalents thereof. 

1. A system for providing single-sign-on (SSO) credentials for a user on a mobile device to multiple network resources, the system comprising: one or more hardware processors; a computer-readable memory; and an authentication system comprising executable instructions stored in the computer-readable memory, wherein the one or more processors are programmed to at least: receive, over a network, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, and wherein the request includes a security object associated with the mobile device; validate the security object as authentic by: determining, from the security object, a security object identifier; determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization; when a determination is made that the security object identifier is associated with the mobile device and the user in the identity database, authenticate the user and the mobile device by: receiving a second authentication factor from the mobile device; validating the second authentication factor by comparing the second authentication factor with user data associated with the user, the user data accessed from the identity database; when a successful authentication of the mobile device and the user is made, determine an identity assertion format acceptable to the first network resource; create an identity assertion object related to the user in the determined identify assertion format, the identity assertion object being distinct from the security object and the object identifier; and provide, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource. 2.-21. (canceled) 